Restart detection for a Linux server

Hi ,

I have created a rule to detect whether any of the linux server in my datacenter is restarted. In case any such event occurs the rule should fire, for this i used normalized rule of system shut down and abnormal shutdown.

This was working well when a serve which has weblogic running on it went down but recently my other server wend down an we didnt get any alarm for it. Can any one help me in suggesting any other method to detect shutting down or restart of a linux server. Is there a uniform log we receive from linux when the system goes down.

Re: Restart detection for a Linux server

I ran some tests across a couple of distributions and I don't see a consistent and reliable indicator in the logs that a system is going down every time. And that's when I'm intentionally shutting it down. I have no chance to get a log when there is a power outage or other external factors. I think system availability is a great use case however I think that the data source should be collected from a 3rd party device like the network monitoring tool. Do you use something like Nagios on your network that could generate up/down events for you?

Re: Restart detection for a Linux server

Hi Andy

I don't tools like Nagios , but i do have a test setup and i have tried shutting the system down with command and by turning the power off also, similar to your finding even i am unable to detect any uniform patter or service which may be used to trigger alarm for system going down.

Have you ever tried the out of the box normalized rule for detection of system shutdown/Restart.

Re: Restart detection for a Linux server

Thank you for that idea. You're able to go into the Policy Editor and filter the rules under both ASP and Data Source for the Normalized ID and see all of the events that are mapped to it. I don't see any events that are in the Linux rule set so we know the SIEM agrees there's not a common Linux shutdown log.

As I said though, I like the use case even if we need to get a little creative with it. Some of the options to consider might be:

1. Consider any boot-up logs that you see consistently. Is there anything unique enough that you would only see it on an actual boot as opposed to just a service restart? For instance, one thing I do consistently see is syslog starting back up, but I get the same messages when I restart the service so it's not definitive.

Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.